Commit e80f8e8c authored by Matt Johnston's avatar Matt Johnston
Browse files

- Update manuals, include section on authorized_keys

- Change default PATH to /usr/bin:/bin
- Mention DEBUG_TRACE in -v help text

--HG--
extra : convert_revision : cdcc3c729e29544e8b98a408e2dc60e4483dfd2a
parent 1fdfa2ec
0.52
- Add "netcat-alike" option (-B) to dbclient, allowing Dropbear to tunnel
standard input/output to a TCP port-forwarded remote host.
- Add "proxy command" support to dbclient, to allow using a spawned process for
IO rather than a direct TCP connection. eg
dbclient remotehost
is equivalent to
dbclient -J 'nc remotehost 22' remotehost
(the hostname is still provided purely for looking up saved host keys)
- Combine netcat-alike and proxy support to allow "multihop" connections, with
comma-separated host syntax. Allows running
dbclient [email protected],[email protected],[email protected]
to end up at host3 via the other two, using SSH TCP forwarding. It's a bit
like onion-routing. All connections are established from the local machine.
The comma-separated syntax can also be used for scp/rsync, eg
scp -S dbclient [email protected],[email protected],canyons:/tmp/dump .
to bounce through a few hosts.
- Allow restrictions on authorized_keys logins such as restricting commands
to be run etc. This is a subset of those allowed by OpenSSH, doesn't
yet allow restricting source host.
- Use vfork() for scp on uClinux
- Default to PATH=/usr/bin:/bin for shells.
- Report errors if -R forwarding fails
- Add counter mode cipher support, which avoids some security problems with the
standard CBC mode.
- Support [email protected] delayed compression for client/server. It can be
required for the Dropbear server with the '-Z' option. This is useful for
security as it avoids exposing the server to attacks on zlib by
unauthenticated remote users, though requires client side support.
- options.h has been split into options.h (user-changable) and sysoptions.h
(less commonly changed)
- Support "dbclient -s sftp" to specify a subsystem
- Fix a bug in replies to channel requests that could be triggered by recent
versions of PuTTY
0.51 - Thu 27 March 2008
- Make a copy of password fields rather erroneously relying on getwpnam()
......
......@@ -106,8 +106,11 @@ Dropbear will also allow multiple "hops" to be specified, separated by commas. I
this case a connection will be made to the first host, then a TCP forwarded
connection will be made through that to the second host, and so on. Hosts other than
the final destination will not see anything other than the encrypted SSH stream.
A port for a host can be specified with a slash (eg [email protected]/44 ).
This syntax can also be used with scp or rsync (specifying dbclient as the
ssh/rsh command). A port for a host can be specified with a slash (eg [email protected]/44 ).
ssh/rsh command). A file can be "bounced" through multiple SSH hops, eg
scp -S dbclient [email protected],[email protected],canyons:/tmp/dump .
.SH ENVIRONMENT
.TP
......
......@@ -94,6 +94,60 @@ useful for working around firewalls or routers that drop connections after
a certain period of inactivity. The trade-off is that a session may be
closed if there is a temporary lapse of network connectivity. A setting
if 0 disables keepalives.
.SH FILES
.TP
Authorized Keys
~/.ssh/authorized_keys can be set up to allow remote login with a RSA or DSS
key. Each line is of the form
.TP
[restrictions] ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIgAsp... [comment]
and can be extracted from a Dropbear private host key with "dropbearkey -y". This is the same format as used by OpenSSH, though the restrictions are a subset (keys with unknown restrictions are ignored).
Restrictions are comma separated, with double quotes around spaces in arguments.
Available restrictions are:
.TP
.B no-port-forwarding
Don't allow port forwarding for this connection
.TP
.B no-agent-forwarding
Don't allow agent forwarding for this connection
.TP
.B no-X11-forwarding
Don't allow X11 forwarding for this connection
.TP
.B no-pty
Disable PTY allocation. Note that a user can still obtain most of the
same functionality with other means even if no-pty is set.
.TP
.B command="\fIforced_command\fR"
Disregard the command provided by the user and always run \fIforced_command\fR.
The authorized_keys file and its containing ~/.ssh directory must only be
writable by the user, otherwise Dropbear will not allow a login using public
key authentication.
.TP
Host Key Files
Host key files are read at startup from a standard location, by default
/etc/dropbear/dropbear_dss_host_key and /etc/dropbear/dropbear_rsa_host_key
or specified on the commandline with -d or -r. These are of the form generated
by dropbearkey.
.TP
Message Of The Day
By default the file /etc/motd will be printed for any login shell (unless
disabled at compile-time). This can also be disabled per-user
by creating a file ~/.hushlogin .
.SH AUTHOR
Matt Johnston ([email protected]).
.br
......
......@@ -259,7 +259,7 @@ be overridden at runtime with -K. 0 disables keepalives */
#define DEFAULT_KEEPALIVE 0
/* The default path. This will often get replaced by the shell */
#define DEFAULT_PATH "/bin:/usr/bin"
#define DEFAULT_PATH "/usr/bin:/bin"
/* Some other defines (that mostly should be left alone) are defined
* in sysoptions.h */
......
......@@ -83,7 +83,7 @@ static void printhelp(const char * progname) {
"-W <receive_window_buffer> (default %d, larger may be faster, max 1MB)\n"
"-K <keepalive> (0 is never, default %d)\n"
#ifdef DEBUG_TRACE
"-v verbose\n"
"-v verbose (compiled with DEBUG_TRACE)\n"
#endif
,DROPBEAR_VERSION, progname,
#ifdef DROPBEAR_DSS
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment